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Abstract 

We design a perfect zero-knowledge proof system for recognition if two 
permutation groups are conjugate. It follows, answering a question posed by 
O. G. Ganyushkin, that this recognition problem is not NP-complete unless 
the polynomial-time hierarchy collapses. 

1 Introduction 

Let S m be a symmetric group of order m. We suppose that an element of S m , a 
permutation of the set {1,2, . . . , m}, is encoded by a binary string of length I = 
|~log 2 m!~|, m(log 2 m — 0(1)) < / < mlog 2 m. Given v G S m , y G S m , and Y C S m , 
we denote y v = v~ l yv and Y v = {y v : y G Y}. Two subgroups G and H of S m are 
similar if their actions on {1, 2, ... , m} are isomorphic or, equivalently, if G = H v 
for some v G S m . If X C S m , let (X) denote the group generated by elements of X. 
We address the following algorithmic problem. 

Similitude of Permutation Groups 

Given: A ,Ai C S m . 

Recognize if: Aq and A\ are similar. 

Note that the Equality of Permutation Groups problem, that is, recognition 
if {Aq) = (Ai) reduces to recognition, given X C S m and y G S m , if y G (X). Since 
the latter problem is known to be solvable in time bounded by a polynomial of the 
input length [20, 10], so is Equality of Permutation Groups. As a consequence, 
Similitude of Permutation Groups belongs to NP, the class of decision problems 
whose yes-instances have polynomial-time verifiable certificates. The similitude of 
{A ) and (Ai) is certified by a permutation v such that {A%) = {Aq). 

Another problem, Isomorphism of Permutation Groups, is to recognize if {Aq) 
and {Ai) are isomorphic. This problem also belongs to NP (E. Luks, see [5, Corollary 
4.11]). Furthermore, it is announced [7] that Isomorphism of Permutation Groups 
belongs to the complexity class coAM (see Section 2 for the definition). By [8] 
this implies that Isomorphism of Permutation Groups is not NP-complete unless 



the polynomial-time hierarchy collapses to its second level (for the background on 
computational complexity theory the reader is referred to [12]) 

O. G. Ganyushkin [11] posed a question if a similar non-completeness result can 
be obtained for Similitude of Permutation Groups. In this paper we answer this 
question in affirmative. We actually prove a stronger result of independent interest, 
namely, that Similitude of Permutation Groups has a perfect zero-knowledge in- 
teractive proof system. It follows by [1] that Similitude of Permutation Groups 
belongs to coAM and is therefore not NP-complete unless the polynomial-time hi- 
erarchy collapses. 

Informally speaking, a zero-knowledge proof system for a recognition problem of 
a language L is a protocol for two parties, the prover and the verifier, that allows the 
prover to convince the verifier that a given input belongs to L, with high confidence 
but without communicating the verifier any information (the rigorous definitions are 
in Section 2). Our zero-knowledge proof system for Similitude of Permutation 
Groups uses the underlying ideas of the zero-knowledge proof systems designed 
in [16] for the Quadratic Residuosity and in [14] for the Graph Isomorphism 
problem. In particular, instead of direct proving something about the input groups 
(Aq) and (Ax), the prover prefers to deal with their conjugates (A ) w and (Ai) w 
via a random permutation w. The crucial point is that these random groups are 
indistinguishable by the verifier because they are identically distributed, provided 
(Aq) and (A\) are similar. However, we here encounter a complication: the verifier 
may actually be able to distinguish between (A ) w and (A-i) w based on particular 
representations of these groups by their generators. Overcoming this complication, 
which does not arise in [16, 14], is a novel ingredient of our proof system. 

Our result holds true even for a more general problem of recognizing if (Aq) and 
(Ai) are conjugated via an element of the group generated by a given set U C S m . 
We furthermore observe that a similar perfect zero-knowledge proof system works 
also for the Element Conjugacy problem of recognizing, given a , ai G S m and 
U C S m , if ai = Oq for some v G (U). A version of this problem where do, «i G (U) 
was proved to be in coAM in [5, Corollary 12.3 (i)]. Note that the proof system 
developed in [5] uses different techniques and is not zero-knowledge. 

2 Preliminaries 

Every decision problem under consideration can be represented through a suitable 
encoding as a recognition problem for a language L over the binary alphabet. We 
denote the length of a binary word w by \w\. 

An interactive proof system {V, P}, further on abbreviated as IPS, consists of two 
probabilistic Turing machines, a polynomial-time verifier V and a computationally 
unlimited prover P. The input tape is common for the verifier and the prover. 
The verifier and the prover also share a communication tape which allows message 
exchange between them. The system works as follows. First both the machines 
V and P are given an input w and each of them is given an individual random 
string, r v for V and r P for P. Then P and V alternatingly write messages to one 
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another in the communication tape. V computes its i-th message Oj to P based 
on the input w, the random string r v , and all previous messages from P to V. P 
computes its i-th message bi to V based on the input w, the random string rp, 
and all previous messages from V to P. After a number of message exchanges V 
terminates interaction and computes an output based on w, rv, and all hi. The 
output is denoted by {V,P}(w). Note that, for a fixed w, {V,P}(w) is a random 
variable depending on both random strings r v and r P . 

Let e(n) be a function of a natural argument taking on positive real values. We 
say that {V, P} is an IPS for a language L with error e(n) if the following two 
conditions are fulfilled. 

Completeness. If w G L, then {V,P}(w) = 1 with probability at least 1 — e(|w|). 
Soundness. Hw^L, then, for an arbitrary interacting probabilistic Turing machine 
P*, {V, P*}(w) = 1 with probability at most e(|iy|). 

We will call any prover P* interacting with P on input w L cheating. If in 
the completeness condition we have {V, P}(w) = 1 with probability 1, we say that 
{V, P} has one-sided error e(n). 

An IPS is public- coin if the concatenation a± . . . of the verifier's messages is 
a prefix of his random string r v . A round is sending one message from the verifier 
to the prover or from the prover to the verifier. The class AM consists of those 
languages having IPSs with error 1/3 and with number of rounds bounded by a 
constant for all inputs. A language L belongs to the class coAM iff its complement 
{0, 1}* \L belongs to AM. 

Proposition 2.1 (Goldwasser-Sipser [17]) Every IPS for a language L can be 
converted into a public-coin IPS for L with the same error at cost of increasing the 
number of rounds in 2. 

Given an IPS {V, P} and an input w, let viewv,p(w) = (r' v , a±, bi, . . . , a^, bk) 
where r' v is a part of ry scanned by V during work on w and ai, b±, . . . , a^, bk are all 
messages from P to V and from V to P (ai may be empty if the first message is sent 
by P). Note that the verifier's messages ai, . . . , a& could be excluded because they 
are efficiently computable from the other components. For a fixed w, viewy i p(w) is 
a random variable depending on ry and rp. 

An IPS {V, P} is perfect zero-knowledge on L if for every interacting polynomial- 
time probabilistic Turing machine V* there is a probabilistic Turing machine My* , 
called a simulator, that on every input w G L runs in expected polynomial time and 
produces output My*(w) which, if considered as a random variable depending on 
a random string of My, is distributed identically with viewy* i p(w). This notion 
formalizes the claim that the verifier gets no information during interaction with the 
prover: everything that the verifier gets he can get without the prover by running the 
simulator. According to the definition, the verifier learns nothing even if he deviates 
from the original program and follows an arbitrary probabilistic polynomial-time 
program V*. We will call the verifier V honest and all other verifiers V* cheating. If, 
for all V*, My* is implemented by the same simulator M running V* as a subroutine, 
we say that {V, P} is black-box simulation zero-knowledge. 
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We call e(n) negligible if e(n) < rc c for every c and all n starting from some 
n (c). The class of languages L having IPSs that are perfect zero-knowledge on L 
and have negligible error is denoted by PZK. 

Proposition 2.2 (Aiello-Hastad [1]) PZK C coAM. 

The k(n)-fold sequential composition of an IPS {V, P} is the IPS {V , P'} in 
which V and P' on input u> execute the programs of V and P sequentially 
times, each time with independent choice of random strings ry and rp. At the end 
of interaction V outputs 1 iff {V,P}(w) = 1 in all k(\w\) executions. The initial 
system {V, P} is called atomic. 

Proposition 2.3 

1. If {V',P'} is the k(n)-fold sequential composition of {V,P}, then 

maxP [{V',P*}(w) = 1] = (maxP [{V,P*}(w) = l]j 

Consequently, if {V, P} is an IPS for a language L with one-sided constant 
error e, then {V, P'} is an IPS for L with one-sided error e k ^ n \ 

2. (Goldreich-Oren [15], see also [13, Lemma 6.19]) If in addition {V, P} is hlack- 
hox simulation perfect zero-knowledge on L, then {V, P'} is perfect zero- 
knowledge on L. 

In the k(n)-fold parallel composition {V", P"} of {V, P}, the program of {V, P} 
is executed fc(|iu|) times in parallel, that is, in each round all versions of a 

message are sent from one machine to another at once as a long single message. In 
every parallel execution V" and P" use independent copies of ry and rp. At the 
end of interaction V" outputs 1 iff {V,P}(w) = 1 in all executions. 

Proposition 2.4 If {V",P"} is the k(n)-fold parallel composition of {V,P}, then 
maxP [{V",P*}(w) = 1] = (maxP [{V,P*}(w) = 1]J . 

3 Group Conjugacy 

We consider the following extension of Similitude of Permutation Groups. 

Group Conjugacy 
Given: A ,Ai,U C S m . 

Recognize if: (Ai) = (A ) v for some v E (U). 
Theorem 3.1 Group Conjugacy is in PZK. 

Designing a perfect zero-knowledge interactive proof system for Group Conju- 
gacy, we will make use of the following facts due to Sims [20, 10]. 
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1. There is a polynomial-time algorithm that, given X C S m and y G S m , rec- 
ognizes if y G (X). As a consequence, there is a polynomial-time algorithm 
that, given X C S'm and F C S'm, recognizes if (X) = (F). 

2. There is a probabilistic polynomial-time algorithm that, given X C S m , out- 
puts a random element of (X). Here and further on, by a random element of 
a finite set Z we mean a random variable uniformly distributed over Z. 

Given A C S m and a number k, define 

G(A, k) = { (x u . . . , x k ) : G S m , (xi, . . . , x k ) = (A)} . 

In the sequel, the length of the binary encoding of an input A ,Ai,U C S m will 
be denoted by n. We set k = 4m. On input (A , A 1 ,U), the IPS we design is the 
n-fold sequential repetition of the following 3-round system. We will say that the 
verifier V accepts if {V, P}(A , Ai,U) = 1 and rejects otherwise. 

If (A , Ai, U) is yes-instance of Group Conjugacy, P finds an element v G (U) 
such that (A x ) = (A ) v . 

1st round. 

P generates a random element u G (U), computes A = A™, chooses a random 
element (ai, . . . , a k ) in G(A, k), and sends (ai, . . . , at) to V . V checks if all a« G S m 
and, if not (this is possible in the case of a cheating prover), halts and rejects. 

2nd round. 

V chooses a random bit (3 G {0, 1} and sends it to P. 

3rd round. 

Case (5 — 1. P sends V the permutation w = u. V checks if w G (U) and if 
( ai ,...,a k ) = {A™). 

Case (3^1 (this includes the possibility of a message (3 £ {0, 1} produced by a 
cheating verifier). P computes w = vu and sends w to V. V checks if w G (U) and 

if (ai,...,a fc > = <^>. 

V halts and accepts if the conditions are checked successfully and rejects other- 
wise. 

We now need to prove that this system is indeed an IPS for Group Conjugacy 
and, moreover, that it is perfect zero-knowledge. 

Completeness. To show that the prover is able to follow the above protocol, we 
have to check that G(A, k) ^ for k = 4m. The latter is true by the fact that 
every subgroup of S m can be generated by at most m — 1 elements [18]. If (A ) and 
(Ai) are conjugate via an element of (U) and the prover and the verifier follow the 
protocol, then (a 1: ... : a k ) = (A) = (A") = (A™). Therefore, the verifier accepts 
with probability 1 both in the atomic and the composed systems. 

Soundness. Assume that (Aq) and (Ai) are not conjugate via an element of (U) 
and consider an arbitrary cheating prover P*. Observe that if both (ai, ... , a k ) = 
{Af) and (a u ...,a k ) = (A$) with u,w G (U), then (AJ = (Aq)^ 1 . It follows that 

V rejects for at least one value of (3 and, therefore, in the atomic system V accepts 
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with probability at most 1/2. By Proposition 2.3 (1), in the composed system V 
accepts with probability at most 2 _ ™. 

Zero-knowledge. We will need the following fact. 

Lemma 3.2 Let G be a subgroup of S m and ai,...,a,k be random independent 
elements of G. 

1. If k — 4m, then (ai, . . . , a*,) = G with probability more than 1/2. 

2. If k = 8m, then (a 1; . . . , a^) = G with probability more than 1 — 2" 
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Proof. We will estimate from above the probability that (a±, . . . , a^) ^ G. This 
inequality is equivalent with the condition that all (ai), (a 1; a 2 ), . . . , (a±, . . . , a^) are 
proper subgroups of G. Assume that this condition is true. Since every subgroup 
chain in S m has length less than 2m [3, 9], less than 2m — 1 inclusions among 
(ai) C (ai, a 2 ) C • • • C (ai, . . . , afc) are proper. In other words, less than 2m — 1 of 
the events a 2 ^ (oi), «3 ^ (ai, 02), • • • , &k ^ • • • , Ofe-i) occur. Equivalently, there 
occur more than k—2m of the events a 2 € (ai), 03 G (ai, 02), • • • , Ofc G (ai, • • • , Ofe-i)- 

Let p = |iJ|/|G| be the maximum density of a proper subgroup of G. Given 
ai, . . . , aj e G, define -E(ai, . . . , aj) to be an arbitrary subset of G fixed so that 

(i) -E(ai, . . . , a,) has density p in G, and 

(ii) E(a\, . . . ,a,i) contains (ai, . . . , a«) if the latter is a proper subgroup of G. 
If (ai, . . . , afc) 7^ G, there must occur more than — 2m of the events 

a 2 G E(ai), a 3 G E(ai, a 2 ), . . . , a fc G £(ai, . . . , a fc _i). (1) 

It suffices to show that the probability of so many occurrences in (1) is small enough. 
Set Xi(ai, . . . , afc) to be equal to 1 if Oj+i G E(a\, . . . , Oj) and to otherwise. In 
these terms, we have to estimate the probability that 

fc-i 

£ X< > fc - 2m. (2) 

i=i 

It is easy to calculate that an arbitrary set of / events in (1) occurs with proba- 
bility p l . Hence the events (1) as well as the random variables Xi, . . . ,X^_i are 
mutually independent, and X ± , . . . , X k _i are successive Bernoulli trails with success 
probability p. 

If k = 4m, the inequality (2) implies that strictly more than a half of all the 
trails are successful. Since p < 1/2, this happens with probability less than 1/2 and 
the item 1 of the lemma follows. 

If k = 8m, the inequality (2) implies 

^ k-l 

— E*> P + e 

with deviation e = 1/4 from the mean value p = E XA . By the Chernoff 

bound [2, Theorem A. 4], this happens with probability less than exp (— 2e 2 (k — 1)) 
= exp(— m + |) < 2~ m . This proves the item 2 of the lemma. □ 
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By Proposition 2.3 (2) it suffices to show that the atomic system is black-box 
simulation perfect zero-knowledge. We describe a probabilistic simulator M that 
uses the program of V* as a subroutine and, for each V*, runs in expected polynomial 
time. Assume that the running time of V* is bounded by a polynomial q in the input 
size. On input (Aq, Ai, U) of length n, M will run the program of V* on the same 
input with random string r, where r is the prefix of M's random string of length 
q(n). In all other cases of randomization, M will use the remaining part of its 
random string. 

Having received an input (Aq, Ai,U), the simulator M chooses a random element 
w G (U) and a random bit a G {0, 1}. Then M randomly and independently chooses 
elements a\, . . . , a& in (A™) and checks if 

{ ai ,...,a k ) = (A w a ). (3) 

If (3) is not true, M repeats the choice of a 1: ... : a k again and again until (3) 
is fulfilled. By Lemma 3.2 (1), M succeeds in at most 2 attempts on average. 
The resulting sequence (a±, . . . , a k ) is uniformly distributed on G(A™, k). Then M 
computes j3 = V*(A , A 1 , U, r, a±, . . . , a k ), the message that V* sends P in the 2-nd 
round after receiving P's message a±, . . . , a k . If j3 and a are simultaneously equal to 
or different from 1, M halts and outputs (r', a±, . . . , a k , (3, w), where r' is the prefix of 
r that V* actually uses after reading the input (A , A±, U) and the prover's message 
a\, . . . , a*;. If exactly one of (3 and a is equal to 1, then M restarts the same program 
from the very beginning with another independent choice of w, a, and ai, . . . , a k - 
Notice that it might happen that in unsuccessful attempts V* used a prefix of r 
longer than r'. 

We first check that, for each V*, the simulator M terminates in expected poly- 
nomial time whenever Aq and A\ are conjugated via an element of (U). Since V* is 
polynomial-time, one attempt to pass the body of M's program takes time bounded 
by a polynomial of n. Observe that a and (r, a>i, . . . , a k ) are independent. Really, 
independently of whether a = or a = 1, r is a random string of length q(n) and 
(ai, . . . , ak) is a random element of G(A, k), where A itself is a random element of 
the orbit {Aq : we (U)} = { A™ : w G (C/)} under the conjugating action of ([/) on 
subsets of S m . It follows that a and /3 are independent and therefore an execution 
of the body of M's program is successful with probability 1/2. We conclude that on 
average M's program is executed twice and this takes expected polynomial time. 

We finally need to check that, whenever Aq and Ai are conjugated via an el- 
ement of (U), for each V* the output M(A , A±,U) is distributed identically with 
viewy*, p(A , Ai,U). Notice that both the random variables depend on V*'s ran- 
dom string r. It therefore suffices to show that the distributions are identical 
when conditioned on an arbitrary fixed r. Denote these conditional distributions by 
D M (Ao, Ai, U, r) and D V * >P (A , A u U, r). We will show that both D M (A , A ± , U, r) 
and Dv*,p(Aq, A±, U, r) are uniform on the set 

S= {(a!,...,a k ,P,w) : w G (U), = V*(A ,A 1 ,U,r,a 1 ,...,a k ), 

(ai, . . . , 
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where 5(j3) is equal to 1 if j3 — 1 and to otherwise. 

Let v G (U), such that (A^ = (A ) v , be chosen by the prover P on input 
(A ,Ai,U). Given x±, Xk G G(Ai,k) and u G (U), define <f>(xi, . . . , Xk, u) = 
(ai, . . . ,a,k, f3,w) by Oj = for all i < k, (3 — V*(A , A\, U, r, a±, . . . , a^), and 
«; = f 1_5 ( /3 )-u. As easily seen, (j>(xi, . . . , Xk, u) G S. 

Claim: The map : k) x ([/) — > 5 is one-to-one. 

Proof. Define ^(ai, . . . ,a,k, (3,w) = (x±, . . . , Xk, u) by u = v 6( -^~ 1 w and Xi = a" 
for all i < k. It is not hard to check that the map ^ is the inverse of 0. □ 

Observe now that if (x±, . . . , Xk, u) is chosen at random uniformly in G{A±, k) x 
(U), then <f>(xi, . . . ,Xk,u) has distribution Dv*,p(Aq, Ai, U, r). By Claim we con- 
clude that Dv*,p(A Q , Ai, U, r) is uniform on S. 

As a yet another consequence of Claim, observe that if a random tuple (ai, . . . , a^, 
f3,w) is uniformly distributed on S, then its prefix (ai,...,dfc) is a random ele- 
ment of G(A,k), where A is a random element of the orbit {A^ : w G (£/)} = 
{A™ : w G (£/)} under the conjugating action of (U) on subsets of S m . This sug- 
gests the following way of generating a random element of S. Choose uniformly at 
random a G {0, 1}, w G (U), (a±, . . . , a*) G fc) and, if 

5 (V*CA , Ai, C/, r, ai, . . . , a fc )) = a, (4) 

output (ai, . . . , at, V r *(A , Ai, [/, r, a±, . . . , a^), «;); otherwise repeat the same proce- 
dure once again independently. Under the condition that (4) is fulfilled for the first 
time in the i-th repetition, the output is uniformly distributed on S. Notice now that 
this sampling procedure coincides with the description of D M (A , A±, U, r). It fol- 
lows that Dm(A q , Ai, U, r) is uniform on S. The proof of the perfect zero-knowledge 
property of our proof system for Group Conjugacy is complete. 

The following corollary immediately follows from Theorem 3.1 by Proposition 
2.2 and the result of [8]. 

Corollary 3.3 Group Conjugacy is in coAM and is therefore not NP-complete 
unless the polynomial-time hierarchy collapses. 

We also give an alternative proof of this corollary that consists in direct designing 
a two-round IPS {V, P} with error 1/4 for the complement of Group Conjugacy and 
applying Proposition 2.1. More precisely, we deal with the Group Non- Conjugacy 
problem of recognizing, given A ,Ai,U C S m , if there is no v G (U) such that 

(Ai) = (A y. 

Set k = 8m. The below IPS is composed twice in parallel. 
1st round. 

V chooses a random bit a G {0, 1}, a random element u G (U), and a sequence of 
random independent elements a\, . . . , G (A™)- Then V sends (a±, . . . , a^) to P. 

2nd round. 

P determines f3 such that (ai, . . . , a^) and (Ap) are conjugate via an element of (U) 
and sends (3 to V . 
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V accepts if (3 — a and rejects otherwise. 

Completeness. By Lemma 3.2 (2), (ai, . . . , a^) = (A™) with probability at least 
1 — 2~ m . If this happens and if (A ) and (Ai) are not conjugated via (U), the 
group (ai, . . . , 0^) is conjugated via (U) with precisely one of (A ) and {Ai). In this 
case P is able to determine a correctly. Therefore V accepts with probability at 
least 1 — 2~ m in the atomic system and with probability at least 1 — 2~ m+1 in the 
composed system. 

Soundness. If (A ) and (Ai) are conjugated via (U), then for both values a = 
and a — 1, the vector (ai,...,a,k) has the same distribution, namely, it is a 
random element of A k , where A is a random element of the orbit {Aq : w G (U)} = 
{A™ : w G (U)} under the conjugating action of (U) on subsets of S m . It follows 
that, irrespective of his program, P guesses the true value of a with probability 1/2. 
With the same probability V accepts in the atomic system. By Proposition 2.4, in 
the composed system V accepts with probability 1/4. 

Note that {V, P} is perfect zero-knowledge only for the honest verifier but may 
reveal a non-trivial information for a cheating verifier. 

4 Element Conjugacy 

This section is devoted to the following problem. 
Element Conjugacy 
Given: ao> Q i S m , U C S m . 
Recognize if: for some v G (U). 

L. Babai [5] considers a version of this problem with ao, ai G (C/) and proves 
that it belongs to coAM. His result holds true not only for permutation groups 
but also for arbitrary finite groups with efficiently performable group operations, in 
particular, for matrix groups over finite fields. It is easy to see that Theorem 3.1 
carries over to Element Conjugacy. 

Theorem 4.1 Element Conjugacy is in PZK. 

The proof system designed in the preceding section for Group Conjugacy ap- 
plies to Element Conjugacy as well. Moreover, the proof system for Element 
Conjugacy is considerably simpler. In place of groups (Aq) and (A™) we now deal 
with single elements ag and a" and there is no complication with representation of 
(Aq) and (A™) by generating sets. 

We now notice relations of Element Conjugacy with the following problem 
considered by E. Luks [19] (see also [6, Section 6.5]). Given x G S m , let C(x) denote 
the centralizer of x in S m . 
Centralizer and Coset Intersection 
Given: x, y G S m , U C S m . 
Recognize if: C(x) (1 (U)y ^ 0. 

Since, given a permutation x, one can efficiently find a list of generators for C(x), 
this is a particular case of the Coset Intersection problem of recognizing, given 
A, B C S m and s,t G S m , if the cosets (A)s and (B)t intersect. 
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Proposition 4.2 Element Conjugacy and Centralizer and Coset Intersec- 
tion are equivalent with respect to the polynomial-time many-one reducibility. 

Proof. We first reduce Element Conjugacy to Centralizer and Coset Inter- 
section. Given permutations a and a±, it is easy to recognize if they are conjugate 
in S m and, if so, to find an s such that a\ — Oq. The set of all z e S m such that 
a\ = ag is the coset C(a )s. It follows that (U) contains v such that ai = iff 
C(a ) and (£7)s _1 intersect. 

A reduction from Centralizer and Coset Intersection to Element Conju- 
gacy is based on the fact that C(x) and (U)y intersect iff x and yxy~ l are conjugated 
via an element of (U). □ 

Note that, while the reduction we described from Element Conjugacy to Cen- 
tralizer and Coset Intersection works only for permutation groups, the re- 
duction in the other direction works equally well for arbitrary finite groups with 
efficiently performable group operations, in particular, for matrix groups over finite 
fields. 

We now have three different ways to prove that Element Conjugacy is in coAM 
and is therefore not NP-complete unless the polynomial-time hierarchy collapses. 
First, this fact follows from Theorem 4.1 by Proposition 2.2. Second, one can use 
Proposition 4.2 and the result of [5, Corollary 12.2 (d)] that Coset Intersection 
is in coAM. Finally, one can design a constant-round IPS for the complement of 
Element Conjugacy as it is done in the preceding section for the complement of 
Group Conjugacy. 

We conclude with two questions. 

Question 4.3 Is there any reduction between Group Conjugacy and Coset In- 
tersection? We are not able to prove an analog of Proposition 4.2 for groups 
because, given A ,Ai C S m such that (Ai) = (A ) v for some v G S m , we cannot 
efficiently find any v with this property (otherwise we could efficiently recognize the 
Similitude of Permutation Groups). 

Question 4.4 Does Element Conjugacy reduce to Group Conjugacy? Where- 
as Corollary 3.3 gives us an evidence that Group Conjugacy is not NP-complete, 
we have no formal evidence supporting our feeling that Group Conjugacy is not 
solvable efficiently. A reduction from Element Conjugacy could be considered such 
an evidence as Element Conjugacy is not expected to be solvable in polynomial 
time [4, page 1483]. 

Note that the conjugacy of permutations a and a x via an element of a group (U) 
does not reduce to the conjugacy of the cyclic groups (ao) and (ai) via (U) because 
(do) and (ai) can be conjugated by conjugation of another pair of their generators, 
while such a new conjugation may be not necessary via (U). For example, despite 
the groups ((123)) and ((456)) are conjugated via ((14)(26)(35)), the permutations 
(123) and (456) are not. 
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